To whom it may concern,
Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).
There is a bug in Conn.cc in the Connection::FlipRoles routine:
725,726c725,726
< resp_addr = orig_addr;
< orig_addr = tmp_addr;
Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).
There’s some suggestions on how to contribute at [1]. For straight-forward/complete/small patches it’s probably easiest to fork on github and submit a pull request. For anything else, creating a ticket at tracker.bro.org w/ a proposed patch attached is helpful so things don’t get lost. I created a ticket for this at [2] for now if you want to create an account and “watch” it.
[1] http://bro.org/development/contribute.html
[2] [BIT-1148] - Bro Tracker
There is a bug in Conn.cc in the Connection::FlipRoles routine:
725,726c725,726
< resp_addr = orig_addr;
< orig_addr = tmp_addr;
---
orig_addr = resp_addr;
resp_addr = tmp_addr;
That does indeed look wrong, thanks.
However, this change does not address the issue when it occurs in an a connection that is to be captured via expect_connection (e.g., ftp_data). I did some digging into this aspect of out-of-order handshakes but it is a bit more involved than the main line connection processing. If anyone has advice on that aspect of this issue I'm all ears.
If I understand right, this is a separate issue from the bad address swapping. If you’re getting at the scheduled/expected analyzers mechanism doesn’t take in to account this Connection::FlipRoles code path, I think you’re right.
- Jon